Issue: Errors regarding digital signature after installing Ivanti Endpoint Security ( EPS ) on Windows 7 or Windows Server 2008 R2

Version 5

    Verified Product Versions

    Endpoint Manager 2017.xEndpoint Manager 2018.x

    Issue

     

    Errors regarding digital signature after installing Ivanti Endpoint Security ( EPS ) on Windows 7 or Windows Server 2008 R2

     

    The following errors are seen:

     

                  Your computer was unable to start. Startup repair is checking your system for problems

     

    After booting, EPS will not be running correctly as the Startup Repair will have removed the EPS driver (LDSECDRV.SYS). Upon reinstall you may be presented with the following message:

                              Windows requires a digitally signed driver

     

    If you reboot at this point there will be no LDSECDRV.SYS and you will receive the following error from EPS:

     

    Cannot start the Ivanti Endpoint Security Service.  You need administrator rights to start the service.

     

    Windows Event log Security reports an Event ID 6281

     

    Log Name:      Security

    Source:        Microsoft-Windows-Security-Auditing

    Date:          2018-09-05 12:39:26

    Event ID:      6281

    Task Category: System Integrity

    Level:         Information

    Keywords:      Audit Failure

    User:          N/A

    Computer:      computer.domain.com

    Description: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

    File Name: \Device\HarddiskVolume2\Windows\System32\drivers\LDSecDrv.sys

     

    screenshot epm 2018.1 eps event log security ldsecdrv.sys.png

    Cause

     

    Ivanti now publishes the EPS driver LDSECDRV.SYS using the latest SHA-256 signing algorithm.

    screenshot epm 2018.1 eps ldsevdrv.sys digital signatures sha256.png

     

    Ivanti EPS driver LDSECDRV.SYS is not compatible with Windows 7 or Windows 2008 R2 that do not have the Microsoft Windows update KB3033929 installed:

     

    Microsoft Security Advisory 3033929 | Microsoft Docs

     

    This update allows Windows 7 and Windows Server 2008 R2 to use the SHA-256 signing technology for drivers.  It is recommended to update your computers to the latest patch level prior to installing Endpoint Security.  Later operating systems should not experience this issue.

     

    * Ivanti Patch Manager patch ID 3033929_MSU - Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015 (3033929). Microsoft is announcing the reissuance of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. This update supersedes the 2949927 update that was rescinded on October 17, 2014 to address issues that some customers experienced after installation. As with the original release, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update because SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.

    http://support2.microsoft.com/kb/3033929

     

    screenshot patch manager patch id 3033929_msu sha-2 sha-256.png